Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pawnshop-laptop-in-the-hood-contd


  • This topic is locked This topic is locked
3 replies to this topic

#1 ZRiCH88

ZRiCH88

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 02 June 2014 - 10:49 PM

http://www.bleepingcomputer.com/forums/t/536395/jrt-highlights-include-check-for-tdl4-rootkit/

 

whilst awaiting replies I was unfamiliar with how things were ran and tried a rootkit remover on my own 

ran tdsskiller from kapersky while waiting for a reply. seemed to help, though I am not fluent in malware. 

after running tdsskiller I saw Broni's latest post, followed instructions from 6. so here are the dds reports post tdsskiller, lemme know if i need help,

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16618  BrowserJavaVersion: 10.60.2
Run by Owner-1 at 23:22:25 on 2014-06-02
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4004.1867 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus *Enabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\windows\system32\WLANExt.exe
C:\windows\system32\Dwm.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\system32\taskhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Owner-1\AppData\Local\Apps\2.0\6HYYZ31A.A4A\7BJ3YG91.DLJ\dell..tion_0f612f649c4a10af_0005.0007_59de4fd2458fcaec\DellSystemDetect.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\explorer.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [DellSystemDetect] C:\Users\Owner-1\AppData\Local\Apps\2.0\6HYYZ31A.A4A\7BJ3YG91.DLJ\dell..tion_0f612f649c4a10af_0005.0007_59de4fd2458fcaec\DellSystemDetect.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_77_ActiveX.exe -update activex
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: EnableFirstLogonAnimation = dword:1
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: dell.com
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{8EDE5632-CF0F-401F-9A53-23E3E3E971C8} : DHCPNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs=   
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner-1\AppData\Roaming\Mozilla\Firefox\Profiles\gdzjy6l8.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MindDabble_4pEI\Installr\1.bin\NP4pEISb.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdisFlt;Avast! Firewall Driver;C:\windows\System32\drivers\aswNdisFlt.sys [2014-5-25 447888]
R0 aswRvrt;avast! Revert;C:\windows\System32\drivers\aswRvrt.sys [2014-5-25 65776]
R0 aswVmm;avast! VM Monitor;C:\windows\System32\drivers\aswVmm.sys [2014-5-25 208416]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-1-10 55856]
R1 aswKbd;aswKbd;C:\windows\System32\drivers\aswKbd.sys [2014-5-25 28184]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswsnx.sys [2014-5-25 1039096]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswsp.sys [2014-5-25 423240]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-1-10 89600]
R2 aswHwid;avast! HardwareID;C:\windows\System32\drivers\aswHwid.sys [2014-5-25 29208]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2014-5-25 79184]
R2 aswStm;aswStm;C:\windows\System32\drivers\aswstm.sys [2014-5-25 85328]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-5-25 50344]
R2 avast! Firewall;avast! Firewall;C:\Program Files\AVAST Software\Avast\afwServ.exe [2014-5-25 109048]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-1-10 13336]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-1-10 1692480]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-1-10 2656280]
R3 BcmVWL;Broadcom Virtual Wireless;C:\windows\System32\drivers\bcmvwl64.sys [2014-5-26 21568]
R3 BTWAMPFL;BTWAMPFL;C:\windows\System32\drivers\btwampfl.sys [2012-1-10 349736]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\System32\drivers\btwl2cap.sys [2012-1-10 39464]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-6-9 176000]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2014-5-26 342528]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-1-10 533096]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 BRDriver64;BRDriver64;C:\ProgramData\BitRaider\BRDriver64.sys [2014-5-27 75048]
S3 BRSptSvc;BitRaider Mini-Support Service;C:\ProgramData\BitRaider\BRSptSvc.exe [2014-5-26 477960]
S3 HTCAND64;HTC Device Driver;C:\windows\System32\drivers\ANDROIDUSB.sys [2009-11-1 33736]
S3 htcusbnet;HTC USB-NDIS miniport;C:\windows\System32\drivers\htcusbnet.sys [2012-7-5 153600]
S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-8-17 25584]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-1-10 250984]
S3 taphss6;Anchorfree HSS VPN Adapter;C:\windows\System32\drivers\taphss6.sys [2013-2-12 42184]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-5-19 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-06-03 00:16:21 -------- d-----w- C:\windows\CheckSur
2014-06-02 22:53:21 -------- d-----w- C:\ProgramData\Oracle
2014-06-02 22:52:35 98216 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-06-02 22:35:07 -------- d-----w- C:\TDSSKiller_Quarantine
2014-06-02 20:39:18 536576 ----a-w- C:\windows\SysWow64\sqlite3.dll
2014-06-02 20:36:45 -------- d-----w- C:\AdwCleaner
2014-06-02 20:35:54 -------- d-----w- C:\windows\ERUNT
2014-06-02 20:15:28 -------- d-----w- C:\Program Files\CCleaner
2014-05-31 07:52:58 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{996F1D8E-C9B6-43C1-9B9E-A1868868CE43}\offreg.dll
2014-05-31 00:23:37 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{996F1D8E-C9B6-43C1-9B9E-A1868868CE43}\mpengine.dll
2014-05-27 23:40:00 -------- d-----w- C:\Users\Owner-1\AppData\Local\SWTOR
2014-05-26 23:49:07 1135104 ----a-w- C:\windows\System32\BCMLogon.dll
2014-05-26 23:36:51 20992 ----a-w- C:\windows\System32\OpenCL.dll
2014-05-26 23:36:51 144896 ----a-w- C:\windows\System32\IntelOpenCL64.dll
2014-05-26 23:36:48 17920 ----a-w- C:\windows\SysWow64\OpenCL.dll
2014-05-26 23:36:48 104448 ----a-w- C:\windows\SysWow64\IntelOpenCL32.dll
2014-05-26 23:32:57 80384 ----a-w- C:\windows\System32\igdde64.dll
2014-05-26 23:15:57 113048 ----a-w- C:\windows\System32\Vxdif.dll
2014-05-26 23:15:53 447864 ----a-w- C:\windows\System32\drivers\Apfiltr.sys
2014-05-26 22:53:31 -------- d-----w- C:\Intel
2014-05-26 22:15:22 -------- d-----w- C:\ProgramData\SystemRequirementsLab
2014-05-26 22:15:22 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2014-05-26 21:03:30 -------- d-----w- C:\Users\Owner-1\AppData\Local\Macromedia
2014-05-26 17:41:54 -------- d-----w- C:\Program Files\paint.net
2014-05-26 17:40:58 -------- d-----w- C:\Users\Owner-1\AppData\Local\paint.net
2014-05-26 06:15:58 -------- d-----w- C:\ProgramData\BitRaider
2014-05-26 06:13:58 -------- d-----w- C:\Users\Owner-1\AppData\Local\SWTORPerf
2014-05-26 06:13:03 4991496 ----a-w- C:\windows\System32\D3DX9_38.dll
2014-05-26 06:13:03 3850760 ----a-w- C:\windows\SysWow64\D3DX9_38.dll
2014-05-26 06:12:18 -------- d-----w- C:\Program Files (x86)\Common Files\BioWare
2014-05-25 23:36:24 28184 ----a-w- C:\windows\System32\drivers\aswKbd.sys
2014-05-25 23:35:51 447888 ----a-w- C:\windows\System32\drivers\aswNdisFlt.sys
2014-05-25 23:24:52 -------- d-----w- C:\Users\Owner-1\AppData\Roaming\DropboxMaster
2014-05-25 23:21:56 -------- d-----w- C:\Users\Owner-1\AppData\Roaming\Dropbox
2014-05-25 23:16:24 -------- d-----w- C:\Users\Owner-1\AppData\Roaming\AVAST Software
2014-05-25 22:48:42 85328 ----a-w- C:\windows\System32\drivers\aswstm.sys
2014-05-25 22:48:42 208416 ----a-w- C:\windows\System32\drivers\aswVmm.sys
2014-05-25 22:48:42 1039096 ----a-w- C:\windows\System32\drivers\aswsnx.sys.1401059604881
2014-05-25 22:48:42 1039096 ----a-w- C:\windows\System32\drivers\aswsnx.sys
2014-05-25 22:48:41 65776 ----a-w- C:\windows\System32\drivers\aswRvrt.sys
2014-05-25 22:48:41 423240 ----a-w- C:\windows\System32\drivers\aswsp.sys.1401059604881
2014-05-25 22:48:40 79184 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2014-05-25 22:48:40 29208 ----a-w- C:\windows\System32\drivers\aswHwid.sys
2014-05-25 22:48:39 93568 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2014-05-25 22:48:30 43152 ----a-w- C:\windows\avastSS.scr
2014-05-25 22:47:34 -------- d-----w- C:\Program Files\AVAST Software
2014-05-25 22:44:30 -------- d-----w- C:\ProgramData\AVAST Software
2014-05-25 15:42:09 -------- d-----w- C:\Users\Owner-1\AppData\Local\SoftGrid Client
2014-05-25 15:42:07 -------- d-----w- C:\Users\Owner-1\AppData\Roaming\SoftGrid Client
2014-05-25 04:03:37 -------- d-----w- C:\Users\Owner-1\AppData\Local\Apps
2014-05-25 04:03:36 -------- d-----w- C:\Users\Owner-1\AppData\Local\Deployment
2014-05-25 02:51:40 -------- d-----w- C:\windows\System32\MpEngineStore
2014-05-25 02:47:57 -------- d-----w- C:\windows\Migration
2014-05-25 02:46:20 -------- d-----w- C:\2ea79a2277567e2581b0db5e40be8e
2014-05-25 01:49:43 -------- d-----w- C:\windows\System32\MRT
2014-05-25 01:30:18 -------- d-----w- C:\Users\Owner-1\AppData\Local\ElevatedDiagnostics
2014-05-25 01:30:15 -------- d-----w- C:\windows\pss
2014-05-25 01:28:00 6103040 ----a-w- C:\Program Files (x86)\GUTE206.tmp
2014-05-25 01:28:00 -------- d-----w- C:\Program Files (x86)\GUME205.tmp
2014-05-25 01:27:46 -------- d-----w- C:\Users\Owner-1\AppData\Local\Diagnostics
2014-05-25 00:51:10 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-05-25 00:43:24 -------- d-----w- C:\Users\Owner-1\AppData\Local\Google
2014-05-15 17:46:02 -------- d-----w- C:\Users\Owner-1\AppData\Roaming\Intel Corporation
2014-05-15 17:45:59 -------- d-----w- C:\Users\Owner-1\AppData\Roaming\Dell
2014-05-15 17:45:40 -------- d-----w- C:\Users\Owner-1\AppData\Local\Dell
2014-05-15 17:45:39 -------- d-----w- C:\Users\Owner-1\AppData\Roaming\Fingertapps
2014-05-13 20:08:02 -------- d-----w- C:\Users\Owner-1\AppData\Local\VirtualStore
2014-05-13 20:08:02 -------- d-----w- C:\Users\Owner-1\AppData\Local\Apple
2014-05-09 22:33:30 -------- d-----w- C:\ProgramData\VirtualizedApplications
2014-05-09 22:25:42 -------- d-----w- C:\ProgramData\Nero
2014-05-08 19:52:08 -------- d-----w- C:\ProgramData\NortonInstaller
2014-05-08 16:06:42 -------- d-sh--w- C:\$RECYCLE.BIN
.
==================== Find3M  ====================
.
2014-06-02 22:38:14 512000 ----a-w- C:\windows\System32\rpcss.dll
2014-05-26 21:03:16 692400 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2014-05-26 21:03:15 70832 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-23 20:20:16 773968 ----a-w- C:\windows\SysWow64\msvcr100.dll
2014-04-23 20:20:16 57168 ----a-w- C:\windows\System32\vcomp100.dll
2014-04-23 20:20:16 51024 ----a-w- C:\windows\SysWow64\vcomp100.dll
2014-04-23 20:20:16 421200 ----a-w- C:\windows\SysWow64\msvcp100.dll
2014-03-31 13:35:08 270496 ------w- C:\windows\System32\MpSigStub.exe
.
============= FINISH: 23:36:08.01 ===============
 

 

problems: playing tv ads through speakers with no programs running. (hasn't occurred since running tdsskiller, though when the ad did play previously it was random and sometimes didnt happen for days so it could happen again i guess :(

slow startup, slow all around performance

 

 

 still unable to download windows updates, 71 important update fail consistently to unknown error. downloaded and ran http://download.microsoft.com/download/E/8/D/E8DAA970-1036-447F-B5EA-716D4BA70EC5/Windows6.1-KB947821-v33-x64.msu successfully. updates still fail, without fail. < lol

 

much thanks for your attention to this matter!



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:22 PM

Posted 07 June 2014 - 10:22 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi ZRiCH88,

I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:22 PM

Posted 10 June 2014 - 01:07 PM

Hi ZRiCH88,
 
This is a 3 day bump:
 
It has been 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:22 PM

Posted 13 June 2014 - 10:25 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users